arnar
commented
7 months ago Yes, it is meant to be the value from the Sec-Session-Challenge header. We'll clarify this and other hand-waving in the examples.
Open bc-pi opened 7 months ago
arnar
commented
7 months ago Yes, it is meant to be the value from the Sec-Session-Challenge header. We'll clarify this and other hand-waving in the examples.
bc-pi
commented
7 months ago Yes, it is meant to be the value from the Sec-Session-Challenge header. We'll clarify this and other hand-waving in the examples.
That would be great, thanks!
Additional clarity around the content of the JWT and required verification steps could also be provided in text. I'm sure your already tired of me mentioning DPoP but https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2 and https://www.rfc-editor.org/rfc/rfc9449.html#section-4.3 are an example of a spec describing somewhat similar JWT syntax and verification steps respectively.
An example JWT has
"jti": "nonce",but the word nonce doesn't appear anywhere else. Is the value intended to be the challenge from the Sec-Session-Challenge header? This could use some clarification/fixing.